Security holes in many PDF components

A bug in the Xpdf 3.02 source code can cause the PDF viewer to crash. Programs that use Xpdf code are affected.

The bug, which has the CVE ID CVE-2007-3387 and is caused by incorrect memory allocation checking in the "StreamPredictor" class constructor. The security hole, which was discovered by Xpdf developer Derek Noonburg himself, would theoretically give an attacker the ability to run code with the privileges of the user running the program. However, a PDF document capable of executing malicious code is unknown at the present

The developers advise users to update PDF Viewer and any programs containing Xpdf code. Candidates include various KDE components such as Kpdf and Koffice. The Gnome desktop environment with its Poppler PDF library is also affected. The KDE project has published source code patches, and several Linux distributions have already built updated packages.

In one fell swoop and with an automatically distributed patch, Google and T-Mobile fixed a problem with the G1 mobile phone whereby users could access root privileges and possibly raise all kinds of havoc.

On stimulus from the German Federal Agency for Information Security (BSI), Felix "FX" Lindner of the Phenoelit hacker group investigated the security of Flash object code. The result is a free protection program with the name Blitzableiter ("lightning rod").